Executive Summary: International data transfers
By using web analytics tools you transmit data to the third parties providing the service. If the third-party provider is located outside the European Economic Area (EEA), the operator must comply with the regulatory framework for international data transfers under the General Data Protection Regulation (GDPR).
The transfer of personal data to third parties outside the EEA can be based solely on user consent if the third country, where the data recipients are located, has an adequacy decision by the EU Commission, i.e. confirmation of an adequate level of data protection. If such is not given, user consent is not a sufficient legal basis and the transfer needs an alternative justification.
Following the invalidation of the EU-U.S. Privacy Shield by the CJEU Schrems II ruling, practically the only remaining option for the data transfer to third-party providers based in the U.S., such as Google Analytics, is to rely on standard contractual clauses.
However, according to the ruling even if standard contractual clauses are in place, you must provide “supplementary measures” to protect against access by U.S. authorities and to ensure effective legal protection for data subjects against unauthorized access.
According to the guidelines of the European Data Protection Board (EDPB), pseudonymization is an effective supplementary measure as long as the singling-out or re-identification of individual users is not possible.
For the UK, no longer a member of the EU, different rules may apply.
Please be aware that this only serves informational purposes and does not constitute legal advice.
Mehr Information
Google Analytics 4: How to become privacy-compliant without switching
Looking for Google Analytics alternatives? We outline the options for making your analytics privacy compliant – and why staying with GA4 might be the best one.
Why is data quality crucial for digital marketing success?
With high data quality, marketers gain more insights into user behaviour and increase ad performance and conversions.
Data Privacy Framework will be challenged: Is Schrems III looming?
The new Data Privacy Framework has been approved by the EU. But will it survive Max Schrems' challenge in the courts?